Reverse Engineering example in GTA: SA

*****GIVE ME A FEEDBACK ABOUT MY TUTORIALS! I WANT TO KNOW IF YOU LIKE MY TUTORIAL STYLE AND WHAT I SHOULD IMPROVE

Sup guys! In this tutorial we'll be looking a basic reverse engineering example in GTA: SA. If you want to follow this tutorial, I'll be using Cheat Engine, IDA Pro and Ollydbg (olly is for debugging purposes). Probably nobody plays this game (neither do I, but I'm hacking this game for learning purposes), but If you do, great! If you don't, still great because you are still learning how to reverse engineer different games. This tutorial is for beginners that are starting with reverse engineering (I can't call myself experienced but whatever). If you are learning, my advice is to download the game and follow this tutorial because you'll learn techniques to find your own stuff.

We'll be looking how to find the function that displays messages like this:

When we activate/deactivate a cheat, "Cheat Activated/Deactivated" message pops up. We need to find cheat flags to get to the function that processes a cheat. In GTA San Andreas the flags are 1 for activated and 0 for deactivated. In this tutorial I'll be using Mega Jump cheat (YOU CAN USE WHATEVER CHEAT YOU WANT). The address of the state of this cheat is 0x96916C - (don't wanna lose time explaining basic stuff. If you don't like being spoon-feeded just find the address of other cheat flags because the method is the same).

You can see everything in this screenshot:

Now we want to see what instruction writes to this flag to get to the function that processes a cheat.
Right click on the address and select "Find out what writes to this address" or press F6 and select Yes.

After we attached the debugger, let's back to the game and activate/deactivate our cheat. In my case I'll be activating the cheat again.
A instruction popped up. The instruction is moving some value from CL (16-bit register - part of ecx) to our address.

You can see this here:

Ok now we can press Stop and go to disassembler by selecting Show disassembler

Select the highlighted instruction, press CTRL+G and copy the address. The address is 00438597

Now it's the IDA Pro part! (as always you should know at least the basics of the program)
If your pc doesn't suck like mine IDA Pro should load everything fast. After that click on the screen, press G, paste the address we've copied before and press OK to jump to the address. I'm using text view btw because we'll need to copy addresses.

Now let's hit F5 to get our old friend called Pseudocode

The instruction highlighted in my screenshot in ASM form is (you can go back to text view to check if you feel like):

Let's go up a bit and try to see if we find some shit.
As we can see, v7 is being set to some value that sub_6A0050 is returning; One of the parameters being passed is "CHEAT8". If we actually look better, there are two calls to sub_6A0050 because they are in if/else statements. We'll see that in this screenshot:

As we saw earlier, byte_969130 is an array of cheat flags and v6 is the index. Basically what this is doing is:

if in that index of the array the value is greater than zero, call sub_6A0050 with the last parameter being "CHEAT8".
else call sub_6A0050 with the last parameter being "CHEAT1".

As we saw earlier, when the value is 1, it's gonna set it to 0 and vice versa. Then the string "CHEAT8" is related to cheat deactivation and "CHEAT1" to cheat activation.

Other thing that we can see in the screenshot is that v7 is passed as a parameter in the next function, which is interesting.

Btw, v7 is

_BYTE *v7; // pointer to something

Well, let's see what actually sub_6A0050 returns. To jump to the function just double click on the name.

_BYTE *__thiscall sub_6A0050(_BYTE *this, char *a2)

//_BYTE an unknown type; the only known info is its size: 1 byte

So the function is a member function and returns a pointer (address) to something. The first argument is a pointer to the current object (this pointer) and the second argument is a pointer to a char.

If you actuall try to find strings like "Cheat Activated" in IDA Pro you won't get any results. GTA San Andreas loads the strings from other files to memory and fetches from there. It's really hard to tell what sub_6A0050 does by only looking to the source so we'll take a guess:

This function is returning a pointer to an string probably.
In this cases our other close friend Ollydbg is always there to help us! We will see what is actually this function returns to v7 to be passed as a parameter to sub_588BE0.

Let's go back to that process cheat function! Select sub_588BE0 and press TAB to go back to text view.

push eax is the last instruction being pushed to the stack before function calls and if you are familiar with assembly, parameters are pushed to the stack in reverse order then the value inside eax is the first parameter of sub_588BE0 (the one we want). Copy the address of that instruction because we are going to use Ollydbg now. The address is 00438552.

Now we are going to open Ollydbg and attach it to GTA San Andreas (close cheat engine before doing this if you haven't done yet). Press F9 to continue running the process. Now press CTRL+G, paste that address and select OK to jump to that address.

As I said before, the value of eax is being pushed as the first parameter (you can see in the screenshot an "Arg1" comment)
Let's hit a breakpoint in this instruction to see what's the value inside EAX. You can do this by right clicking on the instruction and select Breakpoint -> Toggle or press F2.

Now let's get back to the game and activate/deactivate our cheat again and see what happens.
The breakpoint was hit and we get to see what's inside eax.

YAY! WE WERE CORRECT! That function really returned an address of a string. Now that we know what's the first parameter, we can go back to IDA and jump to sub_588BE0 (you can press G and type 588be0 and press OK).

char __cdecl sub_588BE0(int a1, char a2, char a3, char a4)

//Calling convention: __cdecl
//return type: char
//Four arguments

I'll be using the first argument as char* (ida sometimes treats pointers/addresses like integer types) and the other three as integers.

Get the latest version of IDA (7.0) or just get the 6.8 since these are the popular leaked ones with Pseudocode. Then, just navigate to a function and press F5 and it should generate the pseudocode. It's not really a plugin afaik, I thought IDA came with it but I didn't buy it so idfk.

Get the latest version of IDA (7.0) or just get the 6.8 since these are the popular leaked ones with Pseudocode. Then, just navigate to a function and press F5 and it should generate the pseudocode. It's not really a plugin afaik, I thought IDA came with it but I didn't buy it so idfk.